UserManager v7.22.1 — Transfer Limit Not Enforced at Reconnect (PPP/OVPN)

RouterOS The User Manager
1

RouterOS version: 7.22.1 (stable) Board: CHR x86_64 (OpenStack) Package: user-manager

Problem:

Users who exceed their transfer-limit can reconnect and continue using the internet as if they have fresh quota. UserManager shows them as running-active and sends Access-Accept even after the limit is exceeded.

My full relevant config

/ppp/aaa/print
use-radius: yes
accounting: yes
interim-update: 5m
use-circuit-id-in-nas-port-id: yes

/radius/print
address=192.168.102.1 service=ppp secret=1 require-message-auth=no

/radius/incoming/print
accept: yes
port: 3799

/user-manager/print
enabled: yes
use-profiles: yes
require-message-auth: no

/user-manager/router/print
name="1" address=192.168.102.1 protocol=udp coa-port=3799

Limitation config (example — 5G plan)

/user-manager/limitation/print detail where name=5G
name="5G"
download-limit=0B
upload-limit=0B
transfer-limit=5368709120B
uptime-limit=0s
reset-counters-interval=disabled
rate-limit-rx=500000B
rate-limit-tx=1000000B

Profile config

/user-manager/profile/print where name=1M-5G
name=1M-5G
starts-when=first-auth
validity=4w2d

/user-manager/profile-limitation/print where profile=1M-5G
limitation=war-5G profile=1M-5G

Proof of the problem — user fast_vpn_17

/user-manager/user/monitor [find name=fast_vpn_17] once
total-uptime: 2d6h18m21s
total-download: 4.7GiB
total-upload: 986.6MiB
active-sessions: 1
actual-profile: 1M-5G

/user-manager/user-profile/print detail where user=fast_vpn_17
user=fast_vpn_17 profile=1M-5G state=running-active end-time=2026-06-01 17:19:03

Total usage = 4.7 GiB + 986 MiB = ~5,796 MiB which exceeds the 5,120 MiB (5 GiB) limit. Profile state is still running-active. UserManager is not transitioning to expired.

RADIUS log at reconnect — Access-Accept with NO Session-Timeout:

radius,debug new request code=Access-Request service=ppp
radius,debug rx reply code=Access-Accept
    MT-Rate-Limit = "500000/1000000 1000000/2000000 375000/750000 20/20 0 500000/1000000"
    Class = 0x...
    Message-Authenticator = 0x...

Notice: no Session-Timeout, no Access-Reject — UserManager accepts the over-quota user unconditionally at every reconnect.

Questions:

  1. Is there a specific config that makes transfer-limit properly send Access-Reject at reconnect for PPP/OVPN users?

  2. Is download-limit + upload-limit separately more reliable than transfer-limit?

  3. Is there a known fix or workaround in any specific ROS v7.x release?

  4. Is the Mikrotik-Total-Limit attribute in UserGroups a reliable alternative?

Any help appreciated.